Thanks for all the excellent feedback. I am duly chagrined that I mis-interpreted the function of the identification field.
Thanks again! Ben Carter Network Analyst Douglas County PUD 1151 Valley mall Parkway East Wenatchee WA, 98802 Voice: (509) 884-7191 Fax: (509) 884-0553 > -----Original Message----- > From: Guy Harris [mailto:[EMAIL PROTECTED] > Sent: Friday, April 04, 2003 4:40 PM > To: Ben Carter > Cc: [EMAIL PROTECTED] > Subject: Re: [Ethereal-users] IP Identification number > > On Fri, Apr 04, 2003 at 04:25:32PM -0800, Ben Carter wrote: > > If this question has already been answered I apologize for my inability > > to find it in the mailing list archives or the FAQ.. > > > > Is it possible to display the IP identification number in the main > > display? > > There is no mechanism for doing that, although there is a tap mechanism > to allow arbitrary fields to be shown in the summary output in > Tethereal: > > hostname$ man tethereal > > ... > > > -z Get Tethereal to collect various types of statistics > and > display the result after finishing reading the capture > file. Currently implemented statistics are: > > ... > > -z proto,colinfo,filter,field > > Append all field values for the packet to the > COL_INFO > information line. This feature can be used to append > arbitrary fields to the COL_INFO line in addition to the > normal content of the COL_INFO line. field is > the > display-filter name of a field which value should > be > placed on the COL_INFO line. filter is a filter string > that controls for which packets the field value will be > presented on COL_INFO line. field will only be > presented > on the COL_INFO line for the packets which match filter. > > NOTE: In order for tethereal to be able to extract the > field value from the packet, field MUST be part of the > filter string. If not, tethereal will not be able > to > extract its value. > > For a simple example to add the "nfs.fh.hash" field to > COL_INFO for all packets containing the "nfs.fh.hash" > field, use > > -z proto,colinfo,nfs.fh.hash,nfs.fh.hash > > To put "nfs.fh.hash" on COL_INFO but only for packets > coming from host 1.2.3.4 use : > > -z "proto,colinfo,nfs.fh.hash && > ip.src==1.2.3.4,nfs.fh.hash" > > This option can be used multiple times on the command > line. > > > This will be very helpful when examining UDP video streams for > > missing packets (these packet captures can be 120,000+ packets). > > Better yet, is there any way ethereal can raise some sort of flag when > UDP > > packets arrive out of order or are missing? > > Given that there is no notion of "out of order" or "missing" UDP packets > - UDP has no sequence number to allow an order to be determined or to > indicate that there are gaps in traffic - no, there is no way it, or any > other program that deals with captured network traffic, could ever do so > for arbitrary UDP packets. > > It might be possible for dissectors for particular protocols running *on > top of* UDP to do so if *those* protocols had some form of sequence > number. However, no such dissector has, as far as I know, any feature > such as that.
